Nie moge się pozbyć trojana win 32,proszę o sprawdzenie loga

Dla specjalistów Bezpieczeństwo
#1

Ani awast, ani spyware doctor czy mks-vir nie moga się uporać z pasożytem: win 32 Trojan-gen{other} wersja vps 080116, 080117-0 i in. Umiejscowił się teoretycznie w C:\lich.sys i plik ten udało mi się skasować, ale siedzi już w c:\windows\system32\bnmndrv.dll i tego skasowac nie mogę-odmowa dostępu.

Utworzyłam log:

Logfile of HijackThis v1.99.1

Scan saved at 22:22:28, on 2008-01-17

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\CTSvcCDA.EXE

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

C:\Program Files\Spyware Doctor\svcntaux.exe

C:\Program Files\Spyware Doctor\swdsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\WgaTray.exe

C:\Program Files\Spyware Doctor\SDTrayApp.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

C:\Program Files\Nero\Nero 7\InCD\InCD.exe

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Search Settings\SearchSettings.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Beniamin\tguard.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\HP\HP Software Update\HPWuSchd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Neostrada TP\NeostradaTP.exe

C:\Program Files\Neostrada TP\ComComp.exe

C:\Program Files\Neostrada TP\Watch.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Spyware Doctor\swdoctor.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\DOCUME~1\BOENA~1\USTAWI~1\Temp\Katalog tymczasowy 1 dla hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll

O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb125\Dealio.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb125\SearchSettings.dll

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb125\Dealio.dll

O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM…\Run: [securDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

O4 - HKLM…\Run: [inCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe

O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon

O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM…\Run: [au] C:\Program Files\Dealio\DealioAU.exe

O4 - HKLM…\Run: [searchSettings] C:\Program Files\Search Settings\SearchSettings.exe

O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime

O4 - HKLM…\Run: [tguard] C:\Program Files\Beniamin\tguard.exe

O4 - HKLM…\Run: [WinampAgent] “C:\Program Files\Winamp\winampa.exe”

O4 - HKLM…\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”

O4 - HKLM…\Run: [HP Software Update] “C:\Program Files\HP\HP Software Update\HPWuSchd.exe”

O4 - HKLM…\Run: [HP Component Manager] “C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”

O4 - HKLM…\Run: [sDTray] “C:\Program Files\Spyware Doctor\SDTrayApp.exe”

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O8 - Extra context menu item: Compare Prices with &Dealio - C:\Documents and Settings\bożena\Dane aplikacji\Dealio\kb125\res\DealioSearch.html

O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb125\Dealio.dll

O9 - Extra ‘Tools’ menuitem: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb125\Dealio.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\bnmndrv.dll

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/sezam/components/SignActivX.cab

O17 - HKLM\System\CCS\Services\Tcpip…{8E12726E-C09C-43E3-BCA8-A20648B39D7F}: NameServer = 194.204.159.1 217.98.63.164

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

O23 - Service: ZZZsvc_lich - Unknown owner - C:\lich.exe

Później skanowałam przez Combofix i oto log: ComboFix 08-01-18.3 - bożena 2008-01-17 23:20:43.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.427 [GMT 1:00]

Running from: C:\Documents and Settings\bożena\Moje dokumenty\6dtgGAw@neostrada.pl\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))

.

2008-01-17 23:19 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-17 21:34 . 2008-01-17 21:36 11,174,400 --a------ C:\Cecilia Bartoli - Ah! non credeaAh! non giunge (Malibran).mp3

2008-01-17 17:23 . 2008-01-17 17:23

2008-01-17 17:23 . 2001-07-01 17:30 112,640 --a------ C:\WINDOWS\lsb_un20.exe

2008-01-17 17:17 . 2008-01-17 17:28

2008-01-17 17:10 . 2008-01-17 17:10

2008-01-16 21:05 . 2008-01-16 21:24

2008-01-16 17:50 . 2008-01-17 15:01

2008-01-16 17:50 . 2007-10-18 00:16 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-01-16 17:50 . 2007-10-18 00:15 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-01-16 17:50 . 2007-10-18 00:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-01-16 17:50 . 2007-10-18 00:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-01-13 20:38 . 2008-01-16 19:16

2008-01-13 19:45 . 2008-01-13 19:45

2008-01-12 15:49 . 2008-01-12 15:49

2008-01-12 15:49 . 2008-01-12 15:49

2008-01-12 15:49 . 2006-11-26 23:52 712,704 --a------ C:\WINDOWS\system32\alpf.dll

2008-01-12 15:49 . 2006-11-02 00:14 655,360 --a------ C:\WINDOWS\system32\bnmndrv.dll

2008-01-12 15:45 . 2002-07-15 17:18 8,704 --a------ C:\WINDOWS\system32\sporder.dll

2008-01-11 11:50 . 2008-01-11 11:50 754 --a------ C:\WINDOWS\WORDPAD.INI

2008-01-09 22:13 . 2008-01-09 22:13 0 --a------ C:\WINDOWS\system32\lich.dat

2008-01-09 22:12 . 2008-01-09 22:12

2008-01-09 22:12 . 2008-01-09 22:12

2008-01-02 22:01 . 2008-01-02 22:02

2008-01-01 15:09 . 2008-01-01 15:09

2008-01-01 15:08 . 2008-01-01 15:09

2008-01-01 15:05 . 2008-01-01 15:05

2007-12-29 22:53 . 2007-12-29 22:54 4,903,333 --a------ C:\Temp\FreeYouTubeToMP3Converter.exe

2007-12-28 17:16 . 2007-12-28 17:16

2007-12-27 22:46 . 2008-01-13 20:03

2007-12-27 22:45 . 2008-01-17 21:36

2007-12-27 22:42 . 2007-12-29 22:57

2007-12-27 22:42 . 2008-01-05 21:41

2007-12-20 18:46 . 2008-01-18 23:28

2007-12-20 18:43 . 2007-12-23 23:00

2007-12-20 18:37 . 2007-12-20 18:37

2007-12-20 18:36 . 2007-12-20 18:36

2007-12-20 18:34 . 2007-12-20 18:34

.

Co teraz? Nie wiem, jak mam się z nim uporać… proszę, pomóżcie

#2 
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb125\SearchSettings.dll

O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe

O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb125\Dealio.dll	

O9 - Extra 'Tools' menuitem: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb125\Dealio.dll

O23 - Service: ZZZsvc_lich - Unknown owner - C:\lich.exe

usuń wpisy HJT

Użyj automatu -

Pobierz program SDFix